OpenVPN
Certifikační autorita
make-cadir /etc/openvpn/ca
cd /etc/openvpn/ca source vars ./clean-all ./build-ca
./build-key-server ovpn.mysh.cz ./build-dh ./build-key kosire.client.vpn.mysh.cz ./build-key limuzska.client.vpn.mysh.cz
Routování
Jednorázově
cat /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward
Pro trvalé je je potřeba povolit ip_forward
v /etc/sysctl.conf
.
Server
Konfigurace pro server.
- /etc/openvpn/server.conf
################################################# # Sample OpenVPN 2.0 config file for # # multi-client server. # ################################################# port 1194 # TCP or UDP server? proto tcp ;proto udp # "dev tun" will create a routed IP tunnel, # "dev tap" will create an ethernet tunnel. # Use "dev tap0" if you are ethernet bridging # and have precreated a tap0 virtual interface # and bridged it with your ethernet interface. # If you want to control access policies # over the VPN, you must create firewall # rules for the the TUN/TAP interface. dev tap ;dev tun ca ca.crt cert ovpn.mysh.cz.crt key ovpn.mysh.cz.key # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh1024.pem 1024 # Substitute 2048 for 1024 if you are using # 2048 bit keys. dh dh2048.pem # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. # The server will take 10.8.0.1 for itself, # the rest will be made available to clients. # Each client will be able to reach the server # on 10.8.0.1. Comment this line out if you are # ethernet bridging. See the man page for more info. server 10.8.0.0 255.255.255.0 # Maintain a record of client <-> virtual IP address # associations in this file. If OpenVPN goes down or # is restarted, reconnecting clients can be assigned # the same virtual IP address from the pool that was # previously assigned. ifconfig-pool-persist ipp.txt # Uncomment this directive to allow different # clients to be able to "see" each other. # By default, clients will only see the server. # To force clients to only see the server, you # will also need to appropriately firewall the # server's TUN/TAP interface. client-to-client # IF YOU HAVE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, # EACH HAVING ITS OWN UNIQUE "COMMON NAME", # UNCOMMENT THIS LINE OUT. ;duplicate-cn # The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down. # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120 cipher AES-256-CBC # AES # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. #comp-lzo # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun # Output a short status file showing # current connections, truncated # and rewritten every minute. status openvpn-status.log # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 3
RIP routování
apt-get install bird apt-get install bird-doc
systemctl enable bird
- /etc/bird/bird.conf
router id 198.51.100.1; protocol direct { interface "eth1"; # LAN network } protocol kernel { persist; # Don't remove routes on bird shutdown scan time 20; # Scan kernel routing table every 20 seconds export all; # Default is export none } protocol device { scan time 10; # Scan interfaces every 10 seconds } protocol static { } protocol rip MyRIP { # You can also use an explicit name debug all; interface "eth1", "tap0" { mode multicast; }; import filter { print "importing"; accept; }; export filter { print "exporting"; accept; }; }
systemctl start bird
Debugging
OpenVPN v popředí
/etc/init.d/openvpn stop /usr/sbin/openvpn --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf /etc/init.d/openvpn start
RIP
apt-get install tcpdump
tcpdump -i any -n udp and port 520 -vv
linux/openvpn.txt · Poslední úprava: 15.02.2019 22:57 autor: vm